Contact us
First Floor, 159 Victoria Pde 
Collingwood, VIC 3066 
(Google Map)
1300 727 952 
or
+61 3 9910 4099
Digital Transformation in Government Insight #59: DTA's Secure Cloud Strategy
Earlier this year the DTA released the Secure Cloud Strategy, which aims to help government agencies make the most out of cloud services.
About the Strategy
In February 2018, the Secure Cloud Strategy replaced the Australian Government Cloud Computing Policy. It’s pretty concise at 39 pages and will give you everything you need to know about the future of cloud in the Australian public sector. As a start, you might like to read our summary below. Alternatively, you may like to read our more detailed blog on the Secure Cloud Strategy.
The Secure Cloud Strategy starts off looking at the why in more detail — why cloud is a good model for government agencies. Key benefits mentioned include:
- 
Agility — ability to scale up and down quickly and easily, and access to the latest technological advances. 
- 
Operational effectiveness — allowing resources to shift focus from maintenance to improved service delivery. 
- 
Visibility — delivering real-time monitoring and a more visible environment. 
The strategy also looks at the barriers within government and industry before moving onto the overall strategy.
The principles
The strategy presents seven principles that should be followed. The principles are:
- 
Make risk-based decisions when applying cloud security— this means decisions should be based on risk assessment by applying relevant security policy rather than on a compliance ‘checklist’. 
- 
Design services for the cloud — because of the many benefits, agencies must use cloud services for new services wherever possible, and must design applications as cloud native or cloud-enabled in line with the National Institute of Standards and Technology (NIST). 
- 
Use public cloud services as the default — agencies should use public cloud services where possible, ensuring the service meets the necessary security requirements. 
- 
Use as much of the cloud as possible — agencies should use the cloud as much as possible or develop cloud-enabled services. 
- 
Avoid customisation and use services ‘as they come’— services should be configured rather than custom-built to improve agility. 
- 
Take full advantage of cloud automation practices— agencies should make the most of cloud’s automation to minimise the effort required to “provision, configure, backup, restore, patch, update and deploy services.” 
- 
Monitor the health and usage of services in real time — agencies should: use cloud metrics to support their needs; control costs through scaling on demand; and monitor the health of cloud services. 
The DTA document stresses that these principles should be followed, but that because each agency is unique, each agency will have its own needs. This leads to the Secure Cloud Strategy’s first initiative...
The initiatives
The Strategy outlines eight initiatives:
- 
Initiative 1: Agencies must develop their own cloud strategy. 
- 
Initiative 2: Implement a layered certification model, following the IRAP process to assess services and sharing these through a common framework to reduce the burden on the ASD. 
- 
Initiative 3: Redevelop the Cloud Services Panel to align with the procurement recommendations for a new procurement pathway that better supports cloud commodity purchases. 
- 
Initiative 4: Create a dashboard to show service status for adoption, compliance status and services panel status and pricing. 
- 
Initiative 5: Create and publish cloud service qualities baseline and assessment capability. 
- 
Initiative 6: Build a cloud responsibility model supported by a cloud contracts capability. 
- 
Initiative 7: Establish a whole-of-government cloud knowledge exchange. 
- 
Initiative 8: Expand the Building Digital Capability program to include cloud skills. 
The document then looks at cloud.gov.au, stressing that while it’s a fully supported environment for agencies to use, it’s “not a single cloud platform for all government cloud use.” In fact, the strategy specifically states there should not be ONE single cloud platform for government.
Finally the Strategy document looks at platforms that will be investigated, because they can help cloud adoption and collaboration. These include:
- 
Federated access management — managing user access in a central location. 
- 
PROTECTED collaboration — taking up the opportunity to collaborate and access information in a PROTECTED environment through a common, shared platform. 
- 
Integrated Service Management — building best practices for monitoring services across multiple cloud providers through the development of toolkits, reporting and integration capabilities. 
Salsa Digital’s take
The cloud is a fantastic tool, and something we've been committed to for some time now. In fact, it was a key part of our journey to GovCMS. The cloud does deliver big benefits and it’s great to see government and the DTA paving the way for greater adoption across the Australian public sector. If you'd like more information about the policy and initiatives you may like to read our more detailed blog on the Secure Cloud Strategy.